This new Linux malware also features technical overlaps (the same functionality and command-and-control servers) with Windows DLL files hinting at the same developer.
Vermilion Strike comes with the same configuration format as the official Windows beacon and can speak with all Cobalt Strike servers, but doesn’t use any of Cobalt Strike’s code. Intezer researchers, who first spotted the beacon re-implementation in August and dubbed it Vermilion Strike, said that the Cobalt Strike ELF binary they discovered is currently fully undetected by anti-malware solutions.
Using these beacons, threat actors can now gain persistence and remote command execution on both Windows and Linux machines. In a new report by security firm Intezer, researchers explain how threat actors have taken it upon themselves to create their Linux beacons compatible with Cobalt Strike. However, Cobalt Strike has always had a weakness - it only supports Windows devices and does not include Linux beacons.
#COBALT STRIKE BEACON LIST FILES CRACKED#
Over time, cracked copies of Cobalt Strike have been obtained and shared by threat actors, becoming one of the most common tools used in cyberattacks leading to data theft and ransomware. An unofficial Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been spotted by security researchers while actively used in attacks targeting organizations worldwide.Ĭobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams (groups of security professionals who act as attackers on their own org’s infrastructure to discover security gaps and vulnerabilities.)Ĭobalt Strike is also used by threat actors (commonly dropped in ransomware attacks) for post-exploitation tasks after deploying so-called beacons, which provide persistent remote access to compromised devices. Using beacons, attackers can later access breached servers to harvest data or deploy further malware payloads.